Cloning DESFire even possible?

I recently got my pm3 setup (thanks, everyone). I hoping to try to clone a card I have.

This is the result of running the auto command. I was not able to find any resources for this. Is this possible to do? I would be happy to run some commands if you need. Thanks for your help.

Cloning DESFire even possible?

Well Yes and No, but mostly No

well-yes-but-actually-no-well-yes

There are no implants that you can clone it to…But you sort of can…kinda

So, here’s the abbreviated nutshell

Mifare DESFire has yet to be cracked

BUT you have a few options available to you
( I am assuming you want this DESFire access on an implant?
Here’s what I would try, in the order I would try:-

  • See the access administrators and ask if you could enroll an implant ( Simplified, and some social engineering may be required ) This implant MIGHT be possible to be another 7-byte implant, of which there are a few including the FlexDF2, xDF2, and FlexDF, First I would get a test card bundle and try them all out, that way you will know which implant, if any, are compatible.
    The problem you may have is The DF EV2 you have, might have an applet written to the card.

  • Get a conversion service done with your card (The turnaround time to this may vary. and the cost is around $200 BUT a guaranteed success)

  • Get a Mifare Compatible 4K Magic UID (7 Byte) – Changeable UID Card
    LINK
    (There are limitations to this, See the link for more info BUT the UID is changeable with your Proxmark ( follow link for command line), so if that is all the access system is checking you are golden) Then send THIS one off for conversion.

Any more questions, fire away

2 Likes

Thank you for your thorough response. I was actually just trying to clone the card onto another card. Would I be able to clone my original onto the Mifare Compatible 4K Magic UID (7 Byte) – Changeable UID Card? Are there any resources for this?

Yes buddy, All in the link…actually sorry that link doesn’t have the same info, The Lab401 link (below) has a bit more info that should explain it further.

Basically, as far as cloning DESFire goes, that’s probably the closest you will get.
So worth a try, but still not guaranteed

A cheaper option would be a 7byte Mifare classic card, but less likely to work

How would I go about cloning the card? What command is equivalent to hf mf chk that will work for this card? Do I dump the contents of my card to a dump file and then upload that those the cards you just linked? This is the first card I have attempted to clone and I have only found resources for mifire classic cards. Thanks for all your help.

You aren’t realy able to clone as such, you are hoping that the system you are wanting to use it on is ONLY looking for the UID.

So on the DESFire Modifiable card, this is the command you would send

hf 14a raw -s -c 02 00 ab 00 00 07 xx xx xx xx xx xx xx

Where xx xx xx xx xx xx xx is your target UID.

That’s your basic UID change, and that MIGHT be all you need.
HOWEVER
I don’t want to dive too deep, just know there are another couple of factors that COULD be of importance.

The ATS / ATQA on the card are fixed (you cant modify these)
06 75 77 81 02 80 02 F0
But it is the same as your screen shot above

The SAK values can be modified, but not by you, so If you needed this to be changes, you would request that when you order the card.

I’m not sure of the default SAK values of the Modifiable card and I am away from mine at the moment to check, so I’ll do that for you later.

I hope that makes sense, I don’t want to overwhelm you.

but feel free to ask more questions

not to mention that the magic desfire cards don’t actually (to my knowledge) support any secure applications… they just appear to be a desfire card to a reader that doesn’t do any deep digging or use any of the secure features of the desfire… which is highly unlikely since the whole point of supporting desfire cards is to use the secure features… and the desfire chips are 10x more expensive than cheap insecure 125khz LF chips… so if the company is paying to use desfire, then it’s pretty much a guarantee they are going to be using the secure features of the desfire… why else pay 10x to make cards and fobs for the system if they don’t?